Assertion error triggered by fuzzer
(1) By zzjas (zzjas98) on 2025-04-08 19:16:42 [source]
Hi,
Our fuzzing tool triggered a debug assertion when calling sqlite3_prepare16.
The simplified PoC is:
#include <stdint.h>
#include <sqlite3.h>
#include <stdio.h>
int main() {
sqlite3 *db = NULL;
int rc = sqlite3_open(":memory:", &db);
size_t even_size = 12;
uint8_t data[12] = { 0xfe, 0xff, 0x3f, 0xda, 0x00, 0xdf, 0xff, 0xda, 0x00, 0xdf, 0x00, 0x00 };
sqlite3_stmt *stmt = NULL;
const void *tail = NULL;
rc = sqlite3_prepare16(db, data, (int)even_size, &stmt, &tail);
if (stmt) {
sqlite3_finalize(stmt);
}
sqlite3_close(db);
return 0;
}
The output:
poc: sqlite3.c:35451: int sqlite3Utf16ByteLen(const void *, int, int): Assertion `0' failed.
Aborted (core dumped)
The failed assertion is the ALWAYS(z<=zEnd) here: https://github.com/sqlite/sqlite/blob/de93449908e8d7b82517f4ccef7886a1a68d1019/src/utf.c#L558
To reproduce, save the code snippet as poc.c at the root directory of sqlite3 and run:
mkdir -p bld
cd bld
export CC=clang
export CFLAGS="-g -DSQLITE_DEBUG=1"
export CXX=clang++
export CXXFLAGS=-g
../configure --shared=0
make -j$(nproc)
$CC $CFLAGS -I. -c ../poc.c -o poc.o
$CXX $CXXFLAGS poc.o -o poc ./sqlite3.o
./poc
Could you please help check if this is a cause of concern or simply benign behavior? Thanks!
Please feel free to let me know if you would like the original fuzzer & crashing input.
(2) By Richard Hipp (drh) on 2025-04-08 20:01:40 in reply to 1 [link] [source]
Thank you for the bug report and for the simplified test case.
The code actually functions correctly. There is just a bad assert() added if you compile with -DSQLITE_DEBUG. That has now been fixed on trunk. Check-in 2025-04-08T20:00Z.
(3) By zzjas (zzjas98) on 2025-04-09 00:51:00 in reply to 2 [link] [source]
Thanks for the quick reply and fix! I'm glad there's no danger!